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“The continuing datafication of our economy presents opportunities for 
innovation but also challenges for safeguarding information rights and privacy. 
The UK Government set up the Regulators’ Pioneer Fund (RPF) to back bold, 
creative and original approaches by regulators that will support businesses in 
bringing innovative products and services into the economy, thus benefitting 
investment and productivity as well as consumers. 


With funding from the RPF, the ICO developed its Regulators’ Business 
Innovation Privacy Hub through comprehensive engagement with other 
regulators. The support the Hub offers UK regulators is helping better embed 
data protection and privacy in the design and application of regulation across 
many sectors of the economy. We were delighted by the ICO’s decision to 
make permanent the Hub and welcome this report, which sets out the ICO’s 
reflections and enables others to learn from them.” 


— Better Regulation Executive 


ICO Innovation Hub - Project Report 


Contents 

4 Information Commissioner’s foreword 

5 Executive summary 

6 About the Regulators’ Pioneer Fund 

7 About the Innovation Hub 

8 The Innovation Hub’s objectives 

10 Innovation Hub engagement statistics 

11 Workstreams 

12 Case study: FCA Global Financial Crime and Anti-Money 
Laundering TechSprint 

13 Case study: Open Banking Implementation Entity 

15 Case study: SRA Legal Access Challenge 

17 Case study: Medicines and Healthcare products Regulatory 
Agency (MHRA) 

19 Case study: Gambling Commission 

20 How we did it 

24 Next steps 

26 Ten top tips for innovators 


TOR A PAPAL TPL? Wnh Drniart Dannrt 
ICO Innovation Hub Project Repori 


Information Commissioner’s foreword 


Good regulation can help make good businesses. Regulation benefits businesses by making clear 
what rights and protections consumers expect and are entitled to, and by reassuring consumers 
that there are checks and balances in place to ensure innovation can be trusted. 


As the UK’s data protection regulator, the ICO is especially aware of this responsibility. Data 

has moved from being the trail we leave behind us as we go through our lives to being the very 
medium through which we are living our lives. Digital innovation enables economic growth, 

from app development to AI, from public service delivery to big data, but it relies on consumers 
trusting their personal data will be treated fairly, lawfully and transparently. Such trust relies on 
organisations understanding their responsibilities, and appreciating the value of designing in data 
protection at an early stage. 


As an office, we are always looking for improved ways to offer that advice and support. The 
Innovation Hub was set up to collaborate with other regulators, offering data protection expertise 
to a greater breadth of innovative businesses. 


This wide-reaching approach is reflected in the projects the Hub has so far been able to support. 
Highlights detailed in this report include assisting the Financial Conduct Authority’s regulatory 
sandbox, advising the Medicines and Healthcare products Regulatory Agency on the use of 
synthetic datasets and working with the Solicitors Regulation Authority to widen the public’s 
access to legal advice and support. 


It is with these successes in mind that I have committed to retaining the Innovation Hub on a 
permanent basis, so we can continue to support innovation through our partnerships with other 
regulators. 


I must thank the BEIS Regulators’ Pioneer Fund for their initial funding for this project. I 
also thank our regulatory partners, who consistently demonstrate the open and collaborative 
approach that characterises modern regulation in the UK. We look forward to continuing our 
relationship with them, and with the businesses we help. 


) 


Elizabeth Denham 
Information Commissioner 


Executive summary 


In November 2018 the ICO set up the Regulators’ Business Innovation Privacy Hub (the 
Innovation Hub). 


The project’s aim is to partner with other regulators, providing expert support to 
businesses on building data protection compliance into innovative products and services. 


Initial project funding came from the BEIS Regulators’ Pioneer Fund (RPF), which aims 
to create a regulatory environment where businesses have the confidence to invest and 
innovate - benefitting consumers and the wider UK economy. 


The Innovation Hub promotes good data protection practices in innovative firms and start- 
ups by using ‘data protection by design and default’, a key element of the GDPR. 


Data protection is an opportunity for innovative businesses instead of a barrier; helping 
to create products which are fit-for-purpose, reducing the likelihood of a data breach, and 
improving consumer confidence and trust. 


We primarily concentrated on three sectors which have seen significant steps in 
technological development - finance, legal, and health - and collaborated in work 
requiring a cross-regulatory focus on consumer vulnerability. 


Using an approach referred to by Nesta as ‘anticipatory regulation’, the Innovation Hub 
provides advice to businesses who are participating in other regulators’ sandboxes, or 
taking part in innovative ‘Challenges’ and events. 


We also work with regulators to increase their awareness of data protection, providing 
training and helping them to draft guidance for firms in their sectors. 


As a new model of business engagement the Innovation Hub has explored a range of 
collaboration and communication methods to promote the project, including engagement 
with the UK Regulators’ Network. 


This model of engagement has required a proactive approach to risk, highlighting that 
Innovation Hub support is not approval of a business or its products, and ensuring that 
this supportive, enabling arm of the ICO does not compromise our powers as a regulator. 


Developing a broad knowledge of the connection between data protection and innovation 
has helped inform our future engagement with businesses, including how to provide 
effective advice and support. 


We have created ‘Ten Top Tips for Innovators’, for use by any innovative firm seeking to 
develop products and services using personal data. 


The work of the Innovation Hub will continue beyond the RPF funding period, 
demonstrating the ICO’s commitment to innovation. 


We will expand our collaboration with other regulators, and embark on new projects with 
other organisations like Catapults, academic institutions, and private-public innovation 
partnerships. This includes continuing to leverage cross-regulatory links to streamline 
regulatory functions and make sure data protection remains a priority. 


About the Regulators’ Pioneer Fund 


Established by the Department for Business, Energy and Industrial Strategy (BEIS), the 
Regulators’ Pioneer Fund (RPF) aims to create a regulatory environment that gives pioneering 
businesses the confidence to invest, innovate, and deploy emerging technologies for the benefit 
of consumers and the wider economy. 


Department for Innovate u K 


Business, Energy 
& Industrial Strategy 


The fund intends to make the UK the world’s most innovative economy through the development 
and promotion of cutting-edge regulatory practices, either within a specific sector or by bringing 
regulators together to explore cross-cutting issues. 


In 2018, £10 million was made available to regulators with proposals for initiatives to help 
businesses bring innovative products and services to market. Fifteen regulators in total were 
awarded funding, with the ICO receiving £537,000. 


The competition overview and more about its connections to the UK’s Grand Challenges 
can be found on the Innovation Funding Service website. 


About the Innovation Hub 


The ICO’s successful bid led to the creation of the Regulators’ Business Innovation Privacy Hub 
(the Innovation Hub). 


The Innovation Hub collaborates with other regulators on initiatives that help bring about 
innovation. We provide expert support to businesses participating in these initiatives, helping 
them build data protection compliance into their projects at an early stage. We give them the 
confidence to create products and services without the perception that complying with the 
legislation creates a barrier to innovation. 


This new model of embedding within other regulators’ programmes distinguishes the team from 
the successful ICO Sandbox pilot. 


The Innovation Hub also collaborates with regulatory bodies to help them embed information 
rights practice in their own procedures when supporting business innovation. 


As a cross-sectoral issue, data protection is a key consideration where personal data is being 
processed - be it in FinTech, LawTech, or other areas seeing fast technological growth. We 
provide clarity to businesses and regulators on how data protection legislation applies to what 
they do, while acknowledging that innovative products may raise new questions around the 
interpretation of data protection law and regulation. 


The work of the Innovation Hub reflects the ICO’s focus on innovation, our desire to support 
business, and our strategic goal to increase the public’s trust and confidence in how their 
personal data will be used (see the ICO Information Rights Strategic Plan for 2017-2021). 


Promoting the benefits of taking a ‘data protection by design’ approach, the Innovation Hub's 
key message is that the GDPR should not be a barrier to innovation. By protecting information 
rights and complying with the data protection principles, businesses can create a product or 
service which is more likely to be effective and fit-for-purpose, and increase their company 
reputation through consumer confidence. 


ICO Innovation Hub - Project Report 


The Innovation Hub’s objectives 


Promoting good 
data protection 


practice within 
businesses who want 
to innovate. 


Contributing 
positively to public 
trust and confidence 
about businesses’ 
handling of their 
personal data. 


Developing the 
ICO's knowledge of 
how data protection 
and innovation can 
work together, and 
feeding into the 
ICO’s Sandbox and 
policy functions to 
support business 
innovation. 


Enhancing other 
regulators’ capacity 
to address data 
protection issues in 
their own sectors. 


> 


Publishing new 
advice and guidance 
for innovating 
businesses. 


“Input from the Hub was an 
important component of the support 
provided to finalists, and one of the 
most valued aspects. The support 
provided to finalists enabled them 
to accelerate the progress they make 
during the six month Challenge 
period working on their solutions to 
improve access to legal services for 
individuals and small businesses.” 


- Nesta, SRA Legal Access Challenge 


“Our work with the Innovation Hub 
is a great example of inter-sector 
collaboration between a start-up, 
industry law firm and regulator.” 


- Legal Utopia, SRA Legal Access Challenge 


“The Innovation Hub allowed us to 
get on with product development 
whilst safe in the knowledge that 
what we were building and planned 
to do was in line with the relevant 
rules and regulations.” 


- Formily, SRA Legal Access Challenge 
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Innovation Hub engagement statistics 
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Workstreams 


Shaped by the requirements of the BEIS funding, all work has fulfilled three requirements: 
1. Collaborating with regulators 
2. Supporting business innovation 


3. Providing public benefit 


The work evolved organically into a focus on three sectors: finance and ‘open’ ecosystems, 
the legal sector, and health. As a result of the ICO’s recent membership of the UK Regulators’ 
Network (UKRN), we also engaged with other regulators about vulnerable consumers. 


Finance and ‘open’ ecosystems 


The Financial Conduct Authority (FCA) has an established Innovation service, which 
includes a Regulatory Sandbox for firms ready to test products, and a Direct Support 
function providing tailored advice to firms seeking FCA authorisation. The Innovation Hub 
provided support on data protection matters to companies receiving assistance from the 
Direct Support function, as well the fifth cohort of businesses in its Regulatory Sandbox. 


The Innovation Hub delivered real-time expertise at the 2019 FCA TechSprint event; and 
responded to a call for input on the concept of a cross-sector sandbox. 


As part of the ICO’s wider relationship with the Open Banking Implementation Entity 
(OBIE), the Innovation Hub collaborated on writing guidance on processing personal data 
for actors within the open banking ecosystem. 


“The training provided by the Innovation Hub has received overwhelmingly 
positive feedback. Our tutor was very knowledgeable and delivered the 
training in a way that is interesting, engaging and easy to understand. This 


is truly remarkable given the complexity of the topics covered and the virtual 
format of a Skype meeting.” 


-— FCA Innovate 
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| Case study: 


FCA Global Financial Crime and Anti- 
Money Laundering TechSprint 


In July 2019 the Innovation Hub attended 
the FCA’s Global Anti Money Laundering and 
Financial Crime TechSprint, providing support 
to competitors building solutions that allow 
detection and prevention of financial crime 
without revealing personal data. 


Staff from the Innovation Hub and the ICO’s 
Technology Policy team were present for the 
duration of the event, giving advice to 10 
teams working on innovative products that 
deployed privacy enhancing technologies 
(PETs). 


Participants were offered face-to-face 
sessions to fill knowledge gaps and discuss 
compliance with privacy legislation, 

ensuring that they were considering a ‘data 
protection by design’ approach and upholding 
individuals’ rights in their proposals. 

The event concluded with a prize-giving 
ceremony, with awards given to those teams 
assessed as excellent in terms of market- 
readiness, creativity and consideration of 
data protection issues. 


The Innovation Hub engaged in further 
discussion with teams who wished to develop 
their ideas further after the event, and 
contributed to the FCA’s post-TechSprint 
report. 


Maintaining a close working relationship 
with the FCA, we have agreed to support 
upcoming TechSprints and workshops. If 
any of the teams choose to use the FCA'S 
regulatory sandbox to test their products, 
they can receive bespoke support from 
the Innovation Hub as part of our ongoing 
‘gateway’ arrangement with the FCA. 


A blog written by Simon McDougall, the 
ICO's Executive Director for Technology 

and Innovation, covered lessons learned 
from the Innovation Hub's support at the 
FCA Techsprint in July 2019. This blog 

was republished by DataIQ and the New 
Statesman - demonstrating the relevance of 
our work and wider interest in our activities. 


| Case study: 


Open Banking Implementation Entity 


The Innovation Hub has given ongoing 
support to the work of the Open Banking 
Implementation Entity (OBIE). The OBIE 
was set up in response to an Order by 
the Competition and Markets Authority 
(CMA) following its retail banking market 
investigation. 


The CMA’s investigation concluded that ‘older 
and larger banks do not have to compete hard 
enough for customers’ business, and smaller 
and newer banks find it difficult to grow’. 


The underlying idea of open banking is 

that users can get better deals and can 

more easily manage their money through 
innovative products and services such as 
comparison tools, account switching facilities, 
automatic savings apps and financial overview 
dashboards. It aligns to an extent with the 
right to the data portability found in the GDPR. 


Although Open Banking was instigated by 
other pieces of legislation, the GDPR is central 
to much of the data processing within the 
system. 


The Innovation Hub managed the ICO's 
relationship with the OBIE by: 


participating and advising on data 
protection at roundtable events about 
customer experience, consent and 
regulation; 


coordinating with the OBIE and FCA to 
provide advice where the GDPR needs 
considering in tandem with the CMA 
Order and European legislation on 
payment services; 


observing at the OBIE Steering Group 
and associated working groups; and 


attending relevant conferences, building 
knowledge and connections with open 
banking stakeholders. 


Being this closely involved has allowed the 
ICO to gain a deeper understanding of the 
core functions and the implications of the 
changes for customers and businesses, and 
influence thinking within the ecosystem about 
user experience and how actors within the 
ecosystem can maintain compliance with the 
GDPR. 


“The result of our collaboration 
with the Innovation Hub was that 
this work has genuinely broken 
new ground in how we address this 
complex area. This has given the 


Open Banking Implementation 
Entity a firm foundation to build 
upon.” 


- Open Banking 


Because of its work with the OBIE, the ICO 
was approached for its input on two similar 
‘open’ initiatives. The Innovation Hub worked 
with the FCA on its enquiries into the viability 
of open finance, which would extend the 
principles and systems of open banking into a 
wider range of financial products and services. 
We also assisted Ofcom with its draft proposal 
for open communications, giving input on how 
the GDPR might affect implementation. 
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Legal sector 


The Innovation Hub supported delivery of the Legal Access Challenge, a joint initiative 
between the Solicitors Regulation Authority (SRA) and Nesta, providing advice and 
guidance to the challenge participants and delivering a workshop which outlined key data 
protection considerations for innovators. 


The SRA referred Legal Utopia, a social LawTech venture, for assistance with the 
development of an app designed to signpost individuals to relevant legal advice and 
support. The Innovation Hub provided advice on data protection considerations relating to 
automated decision-making. 
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| Case study: 


SRA Legal Access Challenge 


The SRA received £700,000 from the RPF to 
collaborate with Nesta to create the Legal “The Legal Access Challenge 
Access Challenge, a legal technology fund. Its 

aim was to see how the legal services market benefited enormously from the 


could use technology to make services more ICO’s collaboration. To have the 
amorable and artesi; level of knowledge available from 


The challenge supported eight finalists whose almost the outset of the project was 
innovations will help individuals, families and invaluable.” 


small businesses get the legal support they 
need. 


- Solicitors Regulation Authority 


These include a legal advice chatbot, and 
several platforms to assist individuals in 
circumstances such as: 


e group litigation cases; 


e allowing domestic abuse sufferers to 
create an online non-molestation order; 
and 


e generating the documentation required 
by a court for a divorce without the 
need to use a Solicitor. 


We delivered the key message that all 

new tech-based initiatives using personal 
data - especially those employing machine 
learning and artificial intelligence - will need 
to consider data protection and privacy 
requirements from the very start. 


Health and care 


Engagement with the health sector led to work with stakeholders in a number of areas relating to 
handling personal data in health and care: 


e Advising the Medicines and Healthcare products Regulatory Agency (MHRA) on the 
development and use of synthetic datasets. 


e Collaborating with Reform and NHS X in the development of a detailed picture of patient 
data flows and associated challenges and risks including data protection. 


e Providing advice to NHSX on the data protection considerations related to the development 
and regulation of AI, looking at patient data from its creation for direct care to the 
processes for accessing data for research purposes. The regulators worked together to 
identify potential risks and perceived regulatory barriers when using AI with patient data. 


e Contributing to cross-government events and roundtables about regulatory reform, 
ensuring data protection remained a key point of awareness and discussion. 


“Having a specified person with 
expertise, and the time to engage with 

us in detail, to contact in the Innovation Hub 
made it quicker and easier to ensure that we 
properly considered the data protection and 
privacy aspects of our work at every stage.” 


- NHSX 
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| Case study: 


Medicines and Healthcare products 
Regulatory Agency (MHRA) 


The Clinical Practice Research Datalink is the Our engagement with the MHRA will continue 
MHRA’s specialist research services centre and via NHSX AI working groups. 

data custodian for anonymised primary care 
data encompassing around 50 million patients, 


patients. CPRD requested advice about the : ; 5 
production and use of synthetic datasets ICO Innovation Hub's advice was 


intended to be made available to innovators, that we agreed early on, with the 


synthetic datasets to see if their algorithms 
produce appropriate results. group, that we would not merely 


upload the synthetic data on 
a public website for download 


which are less medically intrusive to the without any access controls.” 
patient, therapies, and lifestyle changes. 


These algorithms may be used to predict 
various conditions, aiding early interventions 


- MHRA 


Testing of algorithms is vital to assess the 
algorithm is producing medically accurate 
results performance, but innovators are 
often unwilling to disclose their algorithms 
for testing as they constitute important 
intellectual property. 


We advised on data preparation, bias, and the 
risks of reidentification from synthetic data. 


This work has led to the development of two 
synthetic datasets focused on cardiovascular 
risk and Covid-19 risk, which are accessible to 
researchers via an application to CPRD. 


Vulnerable individuals 


New and emerging technologies have the potential to both support vulnerable individuals and 
risk placing them at further disadvantage. The Innovation Hub has actively worked with other 
regulators through the UKRN, particularly in its Vulnerable Consumers sub-group. 


We led discussions on the interaction between vulnerability and information rights, and advised 
on data protection issues arising from innovative approaches to vulnerability intended to improve 
outcomes for consumers. 


Work also took place with the Gambling Commission on improving support for those at risk of 
harm from gambling. Supportive of initiatives which seek to protect vulnerable individuals, we 
engaged with a range of industry stakeholders and made sure data protection was placed at the 
centre of the proposals. 
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Case study: 


Gambling Commission 


The Innovation Hub supported the Gambling 
Commission’s Single Customer View (SCV) 
Challenge, which considered how to protect 
customers vulnerable to harm from gambling. 


The emergence and ease of online gambling 

in recent years has made it more difficult 

for individuals at risk of harm to restrict any 
problematic gambling behaviours. The SCV 
initiative represents a joined-up approach, and 
the use and development of new technologies 
in the gambling sector to better identify and 
support such individuals. 


The Challenge took the form of a two-day 
event where over 100 experts from across the 
sector came together to make progress on 
developing a joined-up solution. 


We presented a workshop on GDPR compliance 
requirements for SCV which focused on finding 
the correct lawful basis, sharing the minimum 
amount of data, and ensuring data is not 
repurposed. We also took part in discussions 
about drawing up a Code of Conduct for SCV 
and the practicalities around setting up a 
sandbox to test different methods of enabling 
SCV before deployment. 


The Gambling Commission’s engagement 
with the ICO, gambling operators, and 
developers of technological solutions has 
led to a deeper understanding of data 
protection considerations. As a result of our 


involvement with this project the Innovation 
Hub contributed to the House of Lords Select 
Committee’s work looking at possible reform of 
the Gambling Act. 


We continue to work with the gambling 
industry to ensure that innovations and 
interventions intended to prevent harm will 
still be compliant with individual rights and 
freedoms as described in the GDPR. This 

will include joining up with the ICO’s other 
innovation services, sandbox, and Codes and 
Certifications teams. 


“The ICO presence at our industry 
event was invaluable in progressing 


the challenge.” 


- Gambling Commission 
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How we did it 


Communicating effectively 


A new team with a unique remit, the Innovation Hub was keen to create a brand to help it stand 
out as an innovative and professional service. 


The Innovation Hub logo was based on the image of a brick, reflecting the idea of data protection 
as something that should be ‘built into’ innovative products and services. Used to develop the 
Innovation Hub’s documentation and templates, this idea was further expanded into a ‘build 

your own brick’ flyer which was handed to participants at the ICO's Data Protection Practitioner 
Conference in April 2019. 


Innovation Innovation 
Hub Hub 


ee eS we - la = 


Baume ror 
UPPOR UNITY 


-TR 


BARRIER OR 
OPPORTUNITY? 


THE HUB freuen Pamer ts 


ONE VIVA 
pe SÒ N AINIAYASNYAL 
rourswiroanasy S¥ffdd son 


WHAT EIEN YOURE BUILDING, GDPR SHOULD BE A PART, NOT A PROBLEM. 


TRE Ico Regulators’ Business Innovation Privacy Hub is a project helping regulators to support businesses seeking to innovate. 


Data protection by design and by default represents an opportunity rather than a barrier for business - and improving customer trust 
in how personal data is used can help give businesses a competitive advantage. 


We are working with regui on good data protection practice for emerging technologies, discussing barriers to 


The ICO’s Regulators’ Busine 
innovation and identifying ar re the ICO can improve the support it gives to businesses. Come and talk to us. 


ation Privacy Hub is working with 
ice for 


A a ing ba and 
id ICO can improve the support it gives to 
1C O br 
e ; 
ESTE cranica ireramononi hub@ico.org.uk 
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Assessing risk 


Perception that the 
Innovation Hub provides 
the full services of a Data 
Protection Officer 


Organisations believe that 
ICO advice constitutes 
approval of a product, 

or an organisation’s data 
protection practices 


Regulators do not see the Mitigated 
value in collaborating with 
the ICO, or being able to through... 


take the opportunity to do so 


Danger of the ICO’s 
enforcement powers 
discouraging organisations 
from participating 


Burdensome paperwork 
and processes dissuading 
companies from participating 


Creating clear terms and 
conditions 


Setting expectations early 


Communicating about the 
tangible benefits 


Targeting engagement 


Increasing Innovation Hub 
presence at external events 
to promote our advisory 
function 


Negotiating with the 
stakeholder 


Iterating processes 


Collaborating with regulators 


As well as being set up to support innovation, the level of direct collaboration required between 
the ICO and other regulatory bodies meant that the Innovation Hub project model was itself 
innovative. 


We built our work on effective engagement, with successful collaboration founded on good 
rapport, open dialogues and clear, mutually-agreed expectations with the appropriate decision- 
maker. 


Regulators in receipt of funding from the RPF were prioritised, but not all the projects involved 
processing of personal data. We identified other relevant opportunities where the Innovation 
Hub could provide support to regulator initiatives relating to business innovation, including 


international regulators. This ensured that we fully used our resources, as well as broadening the 


project’s reach. 


We attended a number of cross-regulator events and meetings to increase the project’s profile 


and establish new relationships with other stakeholders. This included taking part in discussions 


with other RPF project leads, engaging with the UKRN and the BEIS Regulators’ Innovation 
Network, and facilitating a discussion session at the Regulators’ Forum on perceived regulatory 
barriers to innovation. 
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Collaborating with other regulators has proved to be not just valuable but essential in 
achieving the project aims, and beyond. ‘Soft engagement’, particularly seen in the 
Innovation Hub’s work with health sector regulators, is effective in ensuring that data 
protection considerations remain a priority in discussions. 


By proactively working together, regulators can identify areas of overlap, join up key 
messages, and understand each other's role in a way which benefits both their own work and 
that of the businesses they oversee. 


Because personal data is often a key component in innovative products irrespective of sector, 

the Innovation Hub has sought to develop a collaborative approach on data protection across 

a wide range of regulatory bodies. We have been directly involved with events and discussions 
- from observer status on steering and advisory groups through to providing real-time advice 
to businesses producing products at live events. 


This approach has raised awareness of the ICO’s role with both regulators and businesses, 
and has allowed promotion of the concept of ‘data protection by design and default’ in a much 
more effective way; joining with other regulators to identify when the creator of a product or 
service might benefit from some early input on data protection matters. 


External engagement has also benefitted the ICO as whole. Connecting with businesses on 
the leading edge of innovation has given great insight into what is in development, and what 
is on the horizon - in both technology and culture. Anticipatory regulation becomes possible 
when the regulator is informed about what to anticipate. 


“The Hub’s input was valuable for refining our assessment of the potential 
data protection risks posed by our proposed initiative and our proposals to 
mitigate them in the design of the initiative, and supporting our assessment 


when discussing internally.” 


Advising businesses 


The work of the Innovation Hub falls under what Nesta refers to as ‘anticipatory regulation’, 
which is described as ‘an emerging approach that is proactive, iterative and responds to evolving 
markets’. We have achieved this by engaging with regulators and businesses at an early stage 

in a product’s development to ensure that data protection is built-in from the start. By working 
through other regulators, this message can achieve cross-sectoral reach. 


We found that most of the businesses who received the Innovation Hub’s advice took their data 
protection obligations very seriously. It remains a controller’s responsibility to ensure compliance 
with the GDPR, and by using a ‘data protection by design and default’ approach, businesses can 
reduce the risk of things going wrong due to a lack of due care, and possible ICO enforcement. 


We built a suite of documents and templates to explain the service that the Innovation Hub 
offers to regulators and businesses. It was necessary to achieve a balance in protecting both 
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parties’ interests whilst avoiding confusion or even a reluctance to engage with the project. Some 
stakeholders welcomed the legal certainty that this documentation brought, but others found the 
process off-putting and onerous. 


In some cases this resulted in documents being unread and some promising collaboration stalling 
- either because of concerns about the language used, or an understandable reluctance to be 
bound to conditions put in place by another organisation. Start-ups are unlikely to have easy 
access to legal advice, while regulators have their own operational and risk frameworks which 
they have to adhere to. 


While it remains necessary to have some kind of mutual agreement in place, it was not as simple 
to implement this process as first thought. Having recognised that the introduction of further 
legal and cost considerations could itself pose a barrier to participating in a valuable innovative 
project, we are reviewing our terms and conditions to see how we could improve this process in 
future. 


The Innovation Hub is an example of the work the ICO has been doing to improve standards 
of information rights practice through clear, targeted and inspiring engagement and influence. 
While enforcement of the law is one of the ICO’s responsibilities, our primary goal is to help 
organisations get it right. Our engagement work has highlighted to a number of sectors that 
the ICO is here to help and educate. 


“The Innovation Hub helped us make clear decisions about data processing, 
informed by advice. I believe that the processes we have in place are 


simplified as a result of the conversations that we had with the team.” 


- Mencap, on the SRA Legal Access Challenge 


Demonstrating impact 


The Innovation Hub submitted success metrics to BEIS on a quarterly basis, including the 
number of regulators and businesses we had engaged with, pieces of advice we had given 

and our communications activity. However, we also recognised the value in seeking qualitative 
feedback from stakeholders. This is particularly relevant for an organisation like the ICO, which 
does not formally authorise or approve products for market and therefore cannot measure its 
impact in this way. As the work of the team continues to develop and its contact with innovative 
businesses and organisations increases, the clear impact and benefits of the Innovation Hub’s 
work will grow. 
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Next steps 
During the funding period the ICO decided to retain the Innovation Hub and its functions on a 
permanent basis, and it now forms part of the Technology and Innovation Service. 
We will therefore be able to continue several of our ongoing projects: 
Support of the FCA Sandbox and Direct Support functions. 


Engagement with Open Banking, open finance and other proposed open ecosystems, such 
as open communications. 


Assisting recipients of the Nesta EdTech Innovation Fund and CareerTech Challenge. 


Advising participants in the Lawtech UK Lawtech Sandbox, a collaborative initiative 
between Tech Nation, the Lawtech Delivery Panel and the Ministry of Justice. 


Work with Machine Intelligence Garage, the innovation programme driving machine 
learning and artificial intelligence development in the UK. 


Continued engagement with the Gambling Commission on Single Customer View and 
associated work. 


Involvement with health sector regulators, including the MHRA and NHS projects designed 
to support development and use of AI. 


The ICO is supportive of initiatives that give people access and control over their data, improved 
choices, and a greater variety of services. We remain committed to promoting the message 

that data protection and innovation are not mutually exclusive. Data protection can provide an 
opportunity for businesses to uphold individuals’ rights whilst gaining a competitive edge through 
increased consumer trust. 


No longer externally-funded, the Innovation Hub has widened its remit to include seeking 
collaboration with organisations that are not regulators but can achieve similar sectoral reach. 
This includes universities and higher education institutions, Catapults, and public-private 
innovation partnerships. We have already taken preliminary steps to initiate some of these 
relationships. 


From a wider standpoint, we will also continue to investigate how to better leverage cross- 
regulatory working, and how to streamline regulatory functions to encourage innovation. This 
will involve developing relationships with individual regulators or groups of regulators, and 
continuing to participate in initiatives such as forums and cross-government working groups. 
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“The Innovation Hub is of extreme 
value to other regulators as well as 
to individual companies as it shines 
the ICO in a much more ‘business 
partner’ light leading to cooperation 
and better GDPR compliance 

from the start, which has to be in 
everyone’s best interests.” 


- Law Society of Scotland 


“The theoretical input into our 
work as well as ICO presence and 
engagement have been invaluable 
for us and the industry so far. We 
welcome collaboration and cross 
regulatory conversation around 
best practices, challenges and 
opportunities.” 


- Gambling Commission 


Ten top tips for innovators 


Do you need to build data protection into your innovative product or 
service? Here are our ten top tips to help you out - each tip includes 
links to our more detailed guidance. 


Data protection is good for business. Building the data protection 
principles and information rights into your product is an advantage in the 
marketplace, encouraging customer confidence and lowering your risk of 
enforcement action. 


Data protection will remain relevant, even as technology advances. 
Placing individual rights at the centre of your product development makes 
upholding them easier. 


Education is key. If you intend to process personal data, you must be aware 
of your obligations under the legislation. Why not start with the wealth of 
information and guidance materials produced by the ICO? You could also seek 
additional training or expert guidance to ensure your understanding of the 
legislation. 


Take a ‘data protection by design and default’ approach. To save 
yourself headaches further down the line, data protection compliance should 
be built into your product from the start. Data protection by design and default 
is a legal requirement of the GDPR - putting in place the appropriate technical 
and organisational measures to implement the data protection principles, and 
safeguarding individual rights. 
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Carry out a DPIA. If you are looking to process personal data in innovative 
ways or use a new technology, a Data Protection Impact Assessment might 
be obligatory. If you identify a high risk that you cannot mitigate, you'll need 
to consult with the ICO prior to starting your intended processing. And even 
if it isn’t legally required, a thorough DPIA can be a great way to identify and 
address risks associated with your product. 


Decide what you are doing with data. Clearly frame the problem you are 
trying to solve, work out your lawful basis, and only then decide what personal 
data - if any - you need to collect. Never hold data ‘just in case’. 


Open it up - and lock it down. New technologies open up fantastic 
opportunities for consumers through data sharing and data portability. But 
you must tell them where their data is going and why - and use appropriate 
security measures to stop it going anywhere else. 


If your product uses AI, know your obligations. These include explaining 
to individuals how their personal data will be processed, and complying with 
requirements on automated decision-making and profiling. 


Consider using synthetic data. If you are testing a product, there are 
anonymisation and pseudonymisation techniques available to protect 
individuals in large datasets. Synthetic data may help to lower risk if it suitably 
reflects real-world data. If you really can’t do either and need to use live 

data, document your decision-making so that you can demonstrate that you 
are taking people's privacy seriously. Limit what you use and put measures in 
place to minimise the impact of things going wrong. 


The ICO can help. If you need advice you can get help and support from 
the ICO through a range of options, including the Advice Service for Small 
Organisations. Look out for the ICO Sandbox accepting applications from 
organisations seeking hands-on support. And if you are already working with 
another regulator in your sector, the Innovation Hub may be able to assist. 
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